What exactly is the ISO 29100 Privacy Framework?
ISO/IEC 29100 establishes a high-level framework for safeguarding Personally Identifiable Information (PII) in Information and Communication Technology systems (ICT). This privacy framework provided by ISO/IEC 29100 applies not only to organizations, but also to individuals who use ICT and require privacy controls in order to process PII.
ISO/IEC 29100:2011 establishes a privacy framework that:
- Creates a common privacy terminology.
- Identifies the participants and their roles in the processing of personally identifiable information (PII).
- Describes privacy safeguarding considerations.
- Provides references to well-known information technology privacy principles.
ISO/IEC 29100:2011 edition 1 applies to natural persons and organizations who specify, procure, architect, design, develop, test, maintain, administer, and operate information and communication technology systems or services that require privacy controls for the processing of PII.
The ISO/IEC 29100:2011/Amd 1:2018 reference document is a 21-page document that was last amended in 2018. ISO/IEC 29100 Edition 2 is now being developed under ISO/IEC DIS 29100.
Stages of an ISO Document
The DIS (Draft International Standard) stage is critical in the development of an ISO Standard. A DIS is the culmination of work completed by a Working Group and approved by a Technical Committee. A document that has reached the DIS stage is more than 95% technically correct. A DIS is submitted to all 89 voting nations of ISO for a five-month approval vote. Any proposed changes made as a result of this voting process must be reviewed by the Technical Committee and may be accepted or rejected.
The newly modified DIS is distributed to voting nations as an FDIS (Final Draft International Standard) for final approval (yes or no). The FDIS approval automatically instructs ISO to publish the document as a formal ISO Standard within 60 days of the FDIS approval.
What is the total number of controls included in the ISO 29100 Privacy Framework?
The ISO 29100 privacy framework does not include formal requirements that a company must follow, but it does include bullet points under each of its proposed principles that discuss what it means to adhere to the principle, which many organizations refer to as proposed controls. The original ISO 29100 framework proposed approximately 70 controls that fall under (or can be considered subcategories of) the following categories:
- Consent and choice
- Purpose legitimacy and specification
- Collection limitation
- Data minimization
- Use, retention, and disclosure limitation
- Accuracy and quality
- Openness, transparency, and notice
- Individual participation and access
- Accountability
- Information security
- Privacy compliance
How many principles are contained in ISO 29100?
While the privacy framework does not propose formal requirements for each of the aforementioned principles, it does provide bullet points that explain what it means to “adhere” to each. Those bullet points can be thought of as controls that an organization might think about in relation to each principle.
Terminology
- ISO stands for the International Organization for Standardization.
- IEC stands for International Electrotechnical Commission.
